Review: AppShield 4.0

Sanctum's AppShield provides a strong defense against Web-based attacks, although it doesn't offer some of the leading-edge security protection its competitors provide.

EXECUTIVE SUMMARY

AppShield 4.0

Sanctums AppShield provides a strong defense against Web-based attacks, although it doesnt offer some of the leading-edge security protection its competitors provide. It has the most established track record in the field. AppShield costs $15,000 per Web server or application server.

KEY PERFORMANCE INDICATORS

USABILITY

FAIR

CAPABILITY

FAIR

PERFORMANCE

GOOD

INTEROPERABILITY

EXCELLENT

MANAGEABILITY

GOOD

SCALABILITY

GOOD

SECURITY

GOOD

PRO: Offers a broader set of integration options with third-party products than competitors provide.

CON: Initially defining security exception rules was a slow, labor-intensive process in tests; no support for protecting Web services.

EVALUATION SHORT LIST  Kavados InterDo  Teros Teros-100 APS

Sanctums AppShield is the most well-established product in the Web application firewall space, having first delivered on the core concepts of stateful HTML traffic inspection and filtering in 1999, when the product first shipped.
Now at a 4.0 release, AppShield has a proven track record and the broadest integration support for third-party firewall and application server products. (All three firewalls we tested are compliant with Check Point Software Technologies Ltd.s Operational Security.)

Like InterDo, AppShield is a host-based product and runs on Windows and Solaris. Its priced at $15,000 per protected Web server or application server, for up to three protected servers; after that, the price per server starts to drop.

Unlike InterDo (but like Teros-100 APS), AppShield is a stateful HTTP firewall and automatically identifies each Web client and then inspects outgoing traffic to that client to automatically build rules about what valid traffic that client can next submit. Out of the box, AppShield will protect against form fields being added or removed, hidden form fields having their values changed by the client or client-side cookie modification.
However, this dynamic approach can cause site incompatibility problems. This is particularly the case with links and page content generated dynamically on the client using JavaScript. AppShield (and Teros-100 APS) cannot parse outgoing JavaScript code and so will flag the URLs generated by client-side JavaScript as potential attacks. We needed to create security rule exceptions in each product to allow one part of our test application that did this to work.
AppShield and Teros-100 APS can also prevent Web applications from behaving the way users expect by blocking deep linking and the ability to bookmark inner pages unless appropriate security exceptions are created. (AppShield allows special support for bookmarks to be turned on, although the manual warns that this feature adds considerable system load.)
InterDo works in a different way, using a static list of allowed or banned URLs, as it doesnt track traffic on a client-by-client basis. As a result, it does not have these same issues with URLs or bookmarkingbut also doesnt have the flexibility that AppShield and Teros-100 APS do to dynamically determine when invalid URLs are requested.
AppShield had the most cumbersome security-exception-rule-generation process of the three products we tested.
Teros-100 APS generates its rules based on what a large number of actual site sessions agree is valid, and InterDo generates rules from an automatic site scan (using ScanDo, its companion site scanning tool). Both of these approaches are efficient, although we like the Teros-100 APS approach best for big sites.
To generate exception rules for AppShield, meanwhile, we had to define a trusted IP and then manually exercise every part of a Web application. For a site of any significant size, this is a real burden and introduces potential for human error. The alternative is to create security rules one by one using AppShields Rule Manager or to generate rules by approving exceptions out of AppShields log (which can be done singly or in groups).
Note that for both AppShield and Teros-100 APS, security exceptions need only be created where applications do unusual things that look like security attacks.
AppShield does provide a set of easily enabled settings that can be used to quickly provide general HTTP protection. In addition, new with AppShield 4.0 is a set of three predefined security levelsbasic, intermediate and strictthat quickly provide broad site protection, though not with the specificity or control that the rule-based approaches provide.
Also in This Feature:

Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.